When we added sha1 I just followed the same pattern as md5 (by using an open source imp that was readily available - Scott implemented md5 by hand way back). This means they don't have a dependence on revsecurity - which these days probably doesn't matter so much anymore since the world is/has moved to ssl.

There's a pull request with a spec for digest functions I wrote a while ago here:

I've looked over the pull request, and that all seems reasonable. I don't have strong opinions about the proposed syntax.

Looking at the build files in the libopenssl directory, it seems that we're grabbing the latest openssl library, and that's good. It's not clear to me what happens after that, though... when a standalone app is built are we just using links to whatever openssl library is installed on the target computer or are we bundling the openssl library from the build computer? If it's the latter, then standalone apps won't get security patches.